The Elasticsearch security features enable you to easily secure a cluster. You can password-protect your data as well as implement more advanced security measures such as encrypting communications, role-based access control, IP filtering, and auditing. For more information, see Securing the Elastic Stack.
To use Elasticsearch security features:
Verify that you are using a license that includes the security features.
If you want to try all of the platinum features, you can start a 30-day trial. At the end of the trial period, you can purchase a subscription to keep using the full functionality. For more information, see https://www.elastic.co/subscriptions and License Management.
xpack.security.enabled
setting is true
on each node in
your cluster. If you are using a trial license, the default value is false
.
For more information, see Security Settings in Elasticsearch.
Configure Transport Layer Security (TLS/SSL) for internode-communication.
This requirement applies to clusters with more than one node and to clusters with a single node that listens on an external interface. Single-node clusters that use a loopback interface do not have this requirement. For more information, see Encrypting Communications.
Set the passwords for all built-in users.
The Elasticsearch security features provide
built-in users to
help you get up and running. The elasticsearch-setup-passwords
command is the
simplest method to set the built-in users' passwords for the first time.
For example, you can run the command in an "interactive" mode, which prompts you to enter new passwords for the built-in users:
bin/elasticsearch-setup-passwords interactive
For more information about the command options, see elasticsearch-setup-passwords.
The elasticsearch-setup-passwords
command uses a transient bootstrap
password that is no longer valid after the command runs successfully. You cannot
run the elasticsearch-setup-passwords
command a second time. Instead, you can
update passwords from the Management > Users UI in Kibana or use the security
user API.
Choose which types of realms you want to use to authenticate users.
Set up roles and users to control access to Elasticsearch.
For example, to grant John Doe full access to all indices that match
the pattern events*
and enable him to create visualizations and dashboards
for those indices in Kibana, you could create an events_admin
role
and assign the role to a new johndoe
user.
curl -XPOST -u elastic 'localhost:9200/_security/role/events_admin' -H "Content-Type: application/json" -d '{ "indices" : [ { "names" : [ "events*" ], "privileges" : [ "all" ] }, { "names" : [ ".kibana*" ], "privileges" : [ "manage", "read", "index" ] } ] }' curl -XPOST -u elastic 'localhost:9200/_security/user/johndoe' -H "Content-Type: application/json" -d '{ "password" : "userpassword", "full_name" : "John Doe", "email" : "john.doe@anony.mous", "roles" : [ "events_admin" ] }'
Enable auditing to keep track of attempted and successful interactions with your Elasticsearch cluster:
Add the following setting to elasticsearch.yml
on all nodes in your cluster:
xpack.security.audit.enabled: true
For more information, see Auditing Security Events and Auditing settings.
Events are logged to a dedicated <clustername>_audit.json
file in
ES_HOME/logs
, on each cluster node.